Target says breach affected 'up to 70 million' people

The number of Target shoppers affected by the retailer’s massive data breach is even larger than previously reported.

In a Friday morning update, the nationwide retailer said the information stolen during the data breach includes names, mailing addresses, phone numbers, or email addresses for up to 70 million people.

Last month, Target divulged that hackers bypassed its security systems between Nov. 27 and Dec. 15, stealing information for 40 million debit and credit cards, but it didn’t indicate that personal details on tens of millions of other customers were also compromised.

Target said much of the stolen data is “partial in nature,” and that in cases where the retailer has an email address, it’ll attempt to communicate with affected guests. The company reminded customers that they’re not liable for fraudulent charges resulting from the breach, but “to provide further peace of mind,” it’s offering free credit monitoring and identity theft protection for anyone who shopped at one of its U.S. stores during the breach period.

“I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,” said Target CEO Gregg Steinhafel in a statement. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”

Target also revised its fourth quarter outlook following the “meaningfully weaker-than-expected sales” since disclosure of the breach, forecasting a sales decline of up to 6 percent for the remainder of the quarter.

The company can also expect to face a flurry of other costs as a result of the breach, such as liabilities related to payment card networks and the cost of civil litigation, governmental investigation, and legal expenses. After retailer TJX’s systems were compromised by hackers following a 2007 data breach, which affected more than 45 million credit and debit card holders, that company faced fines of more than $40 million.

Since the Target breach, millions of credit cards have flooded black markets. Reports indicate up to a twentyfold increase in the number of cards with high credit limits available through these shady marketplaces, which tend to accept virtual currencies like Bitcoin and Litecoin.

The Target thieves not only gained access to credit card numbers but also to three-digit CVV security codes, which merchants aren’t supposed to store — demonstrating a blatant disregard for data security best practices (not to mention compliance requirements) on Target’s part. Scam artists can use that information to make purchases at retail stores.

And in a reversal, Target confirmed PIN data was comprised during the data breach. If the intruders are able to decrypt that data, they could use cloned cards to withdraw cash from a victim’s bank account directly from ATMs.

The Target breach is one of the largest retail security breaches to date — and an absolute nightmare for everyone on the Target team.

“I do not envy anyone that has to respond to a breach like this,” said David Kidd, the director of quality assurance and compliance at Peak 10, a provider of cloud data solutions. “Going forward, this will be a cautionary tale and, I hope, a learning experience for information security professionals.”